On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: > On Wed, 12 Feb 2014, Tamas Papp wrote: >> hi All, >> >> $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w >> `cat pw` >> ldap_bind: Referral (10) >> referrals: >> ldap:///uid=USER,cn=users,cn=accounts,dc=foo >> >> >> >> >> [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from >> ::1 to ::1 >> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND >> dn="uid=USER,cn=users,cn=compat,dc=foo" method=128 version=3 >> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 >> nentries=0 etime=0 >> [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 >> >> >> System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). >> Non-compat authentication works fine and authorization against compat is >> also fine. >> >> >> What is err=10? > slapi-nis module in RHEL 6.x (and CentOS) does not support bind against > compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). > > In older versions slapi-nis issues LDAP referral to the original LDAP > entry with the hope that an LDAP client would follow it and perform a > bind against the referral. > > Unfortunately, there is virtually no client software that supports the > referral on bind operation. > > In short, you cannot do LDAP bind against compat tree in RHEL before > 7.0.
I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. If I understand correctly, you're referring to the client side, are you? Or it is true for the server side as well? Thanks, tamas _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
